Supervalu breach shows why move to smartcards is long overdue

The data breach disclosed by Supervalu on Thursday shows yet again why the ongoing migration of the US payment system to smartcard technology can't happen soon enough.

Supervalu is one of the largest grocery wholesalers and retailers in the U.S., and the breach could affect thousands of people who shopped at the company's stores between June 22 and July 17, as well as customers from several other major grocery store chains for which Supervalu provides IT services. Supervalu has posted an online FAQ ( download PDF) with details about the breach, which followed a criminal intrusion into its payment processing network.

The U.S. is the last among the developed nations to still predominantly use credit and debit cards based on magnetic stripe technology. Most other advanced countries cut to chip-based cards based on the Europay MasterCard Visa (EMV) standard a long time ago.

EMV-based smartcards have proved to be considerably safer to use than magnetic stripe cards because they are almost impossible to clone. Crooks who manage to steal data from a smartcard would be unable to do use it create a fraudulent card as they often do with magnetic stripe cards.

In many of the countries that have adopted the technology, users are required to enter a Personal Identification Number (PIN) instead of a signature when using the card, thus making them almost unhackable. Even if hackers are able to gain access to a smartcard they need to know the PIN in order to use it.

In the U.S., MasterCard and Visa have set a deadline of October 2015 for all retailers to begin supporting EMV smartcards. After that deadline, any retailer that has not yet made the move would be held liable for the costs of a data breach.

The credit card companies have not mandated the use of PINs in the U.S. Instead, the they have left it up to retailers and card-issuing banks to decide whether to require a PIN.

The National Retail Federation (NRF) and other retail industry trade groups have raised a ruckus over this issue. They have claimed that moving to smartcards without having a mandatory PIN is a half-baked move. They have noted, for example, that EMV technology does little to prevent crooks from using stolen card numbers to make online or phone purchases.

In numerous position papers and statements over the past several months, they have proposed alternatives to EMV technology such as tokenization and end-to-end encryption, which they argue is cheaper and more effective.

According to the NRF and others, if the U.S payment industry has to embrace more secure technology, it makes sense to move to something that addresses both current and emerging security threats and not just part of the problem like smartcards do.

While such concerns might have merit, they ignore time constraints.

Cybercrooks are not waiting for the U.S retail industry to debate the merits and demerits of different technologies. In recent years, much of the credit and debit card fraud has migrated from other countries to the U.S simply because magnetic cards are a much easier target than smartcards.

Smartcards will almost certainly make it harder for crooks to perpetrate payment card fraud. While the cards may not be perfect, they are safer than magnetic stripe cards. There's nothing to stop merchants from implementing a PIN requirement if they want to. Nor is there anything to prevent merchants from adopting end-to-end encryption or other tokenization measures as additional security measures to bolster card security.

Implementing better security is going to cost money, with estimates into the billions of dollars. Across the U.S., merchants will need to replace or upgrade an estimated 13 million point-of-sale systems to make them ready for EMV card transactions. But the alternative is more data breaches of the sort that Supervalu acknowledged this week.

And those often prove even more costly to remediate than just implementing more secure technology in the first place.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.